David Morán Jun 29, 2021 4 min read

Oscorp: Android banking Trojan to steal cryptocurrency and 2FA codes

Oscorp is the new banking trojan that has appeared in the world of Android bankers at the beginning of 2021.


As we already told you about in our 2020 malware summary, in the past year we were able to observe an increase in the detection of banking malware for mobile devices, not only in terms of the number of campaigns, but also in terms of the new families that were detected.

Following the trend of an increase in banking threats on mobile devices, we've seen two new unknown families appear as soon as this new year began, namely Oscorp and Toddler.

In this case we've talked about Oscorp, a family that's new but that doesn't include any significant developments with regard to the families we are already familiar with.

As we've been able to see, credential theft continues to be carried out through accessibility services that abuse their permissions to log accessibility events (similar to keylogging on desktop systems) or to detect the launch of any legitimate applications and show an overlay with the web injection with the phishing form. 

However, it does incorporate something that's less common, which is the direct theft of money, in this case cryptocurrency.

Oscorp abuses accessibility permissions to detect events that occur in a specific wallet application, to determine the available balance of different cryptocurrencies, and ultimately tries to send the cryptocurrency to the attacker's Bitcoin address.

This is a good way to increase the attacker's chances of success in the event the user doesn't use any of the affected banking applications.

Among this malware's code we've also found the ability to steal the two-factor authentication codes stored in the Google Authenticator application.

This is one of the functionalities that seems to be gaining popularity, while the popularity of this type of application that acts as managers of the authentication codes is also increasing.

It is a complement to the theft of text messages, since most banks require some kind of authorization to log into the bank account or carry out transactions, meaning the theft of SMS messages and Google Authenticator authorization codes provides attackers with most of the tools they need to ultimately be successful in stealing money.

In short, we need to be on the lookout for new families and campaigns of banking malware for mobile devices because, as we've already seen, the detection of new families and campaigns is on the rise. We must be prepared to protect our users from the latest techniques for stealing credentials and, ultimately, their money.

Download the full report here.


David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.